diff --git a/server/src/responders/handlers.js b/server/src/responders/handlers.js
--- a/server/src/responders/handlers.js
+++ b/server/src/responders/handlers.js
@@ -47,14 +47,14 @@
         res,
         result,
         expectCookieInvalidation,
-        getAppURLFactsFromRequestURL(req.url),
+        getAppURLFactsFromRequestURL(req.originalUrl),
       );
       res.json({ success: true, ...result });
     } catch (e) {
       await handleException(
         e,
         res,
-        getAppURLFactsFromRequestURL(req.url),
+        getAppURLFactsFromRequestURL(req.originalUrl),
         viewer,
         expectCookieInvalidation,
       );
@@ -74,7 +74,7 @@
       await handleException(
         e,
         res,
-        getAppURLFactsFromRequestURL(req.url),
+        getAppURLFactsFromRequestURL(req.originalUrl),
         viewer,
       );
     }
@@ -91,7 +91,11 @@
     } catch (e) {
       // Passing viewer in only makes sense if we want to handle failures as
       // JSON. We don't, and presume all download handlers avoid ServerError.
-      await handleException(e, res, getAppURLFactsFromRequestURL(req.url));
+      await handleException(
+        e,
+        res,
+        getAppURLFactsFromRequestURL(req.originalUrl),
+      );
     }
   };
 }
@@ -149,7 +153,7 @@
       addCookieToHomeResponse(
         viewer,
         res,
-        getAppURLFactsFromRequestURL(req.url),
+        getAppURLFactsFromRequestURL(req.originalUrl),
       );
       res.type('html');
       await responder(viewer, req, res);
@@ -199,14 +203,14 @@
         res,
         result,
         false,
-        getAppURLFactsFromRequestURL(req.url),
+        getAppURLFactsFromRequestURL(req.originalUrl),
       );
       res.json({ success: true, ...result });
     } catch (e) {
       await handleException(
         e,
         res,
-        getAppURLFactsFromRequestURL(req.url),
+        getAppURLFactsFromRequestURL(req.originalUrl),
         viewer,
       );
     }
diff --git a/server/src/responders/website-responders.js b/server/src/responders/website-responders.js
--- a/server/src/responders/website-responders.js
+++ b/server/src/responders/website-responders.js
@@ -115,7 +115,7 @@
   req: $Request,
   res: $Response,
 ): Promise<void> {
-  const appURLFacts = getAppURLFactsFromRequestURL(req.url);
+  const appURLFacts = getAppURLFactsFromRequestURL(req.originalUrl);
   const { basePath, baseDomain } = appURLFacts;
   const baseURL = basePath.replace(/\/$/, '');
   const baseHref = baseDomain + baseURL;
diff --git a/server/src/utils/security-utils.js b/server/src/utils/security-utils.js
--- a/server/src/utils/security-utils.js
+++ b/server/src/utils/security-utils.js
@@ -5,7 +5,7 @@
 import { getAppURLFactsFromRequestURL } from './urls';
 
 function assertSecureRequest(req: $Request) {
-  const { https } = getAppURLFactsFromRequestURL(req.url);
+  const { https } = getAppURLFactsFromRequestURL(req.originalUrl);
   if (https && req.get('X-Forwarded-SSL') !== 'on') {
     throw new Error('insecure request');
   }